Hitherto, an information processing apparatus that performs communication using Security Architecture for Internet Protocol (IPSec) is known. The IPSec is widely used in an application that operates in an Internet Protocol (IP) layer and in a higher order than the IP layer. Communications making use of the IPSec requires setting of pieces of policy information. FIG. 20 shows an example of a setting operation regarding the IPSec. When setting the pieces of policy information, it is necessary to set order of priority, name, local address (address of one's apparatus), local port (port of one's apparatus), remote address (address of communication partner), remote port (port of communication partner), and common key. Policy information “a” shown in FIG. 20 indicates that, regarding an IPSec negotiation request from a communication partner corresponding to address “192.168.1.1,” communication of data that is transmitted or received is performed using a common key “aaa” even if the communication is one in which any port of one's apparatus is specified.
Policy information “b” indicates that, regarding an IPSec negotiation request from a communication partner corresponding to address “192.168.1.2,” communication with data that is transmitted or received is performed using a common key “bbb” even if the communication is one in which any port of one's apparatus is specified.
The communication can be performed using common keys that are different for personal computers (PCs) by setting one common key for one communication partner that is specified by a single address.
The policy information in the IPSec communication is given an order of priority. The information processing apparatus determines the policy information to be used in accordance with the order of priority. For example, a policy information list, such as that shown in FIG. 20, is registered in the information processing apparatus. The case in which an IPSec negotiation request is made from the communication partner corresponding to the address “192.168.1.2” will be described. In this case, from the policy information having a higher order of priority, the information processing apparatus searches for the policy information in which “192.168.1.2” is set as the remote address. More specifically, starting from the policy information having an order of priority of “1” in the policy information list, the information processing apparatus compares in turns the address of the communication partner whose has sent a request for IPSec negotiation with the remote address in the policy information list, and searches for the policy information that matches therewith. When the policy information list shown in FIG. 20 is registered in the information processing apparatus, the information processing information first refers to the policy information “a” having an order of priority of 1. However, since the policy information “a” is not set to the remote address “192.168.1.2,” the information processing apparatus subsequently refers to policy information “b” having a second highest order of priority of 2. Since a remote address of the policy information “b” is not set to “192.168.1.2,” the information processing apparatus starts communication with the communication partner using the common key “bbb” in the policy information having an order of priority of 2. At this time, even for the apparatus of the communication partner, if a setting is performed so that the common key “bbb” is used in the communication with one's apparatus, it is possible to decode data that is transmitted from the apparatus of the communication partner with the same common key, to normally decode the data. In addition, if a common key used in the apparatus of the communication partner and the common key used do not match with that of one's apparatus, the data that is received from the apparatus of the communication partner cannot be decoded. Accordingly, in the communication using IPSec, security is provided by making it possible to perform communication only between apparatuses that are set so that communication is performed using the same common key.
However, when one wants to set the same common key with respect to a plurality of communication partners, it is necessary to set pieces of policy information in correspondence with the number of apparatuses of the communication partners. This burdens a user.
Therefore, an information processing apparatus which can register policy information shown in FIG. 21 is available. As regards an IPSec negotiation request from communication partners corresponding all addresses, policy information “c” shown in FIG. 21 indicates that communication with data that is transmitted or received is performed using a common key “ccc” even if the communication is one in which any port of one's apparatus is specified.
Accordingly, it is possible to set a common key with respect to apparatuses of communication partners by one setting performed by a user when policy information in which a plurality of addresses are specified for a remote address of one piece of policy information is set.
As shown in FIG. 22, it is possible to register both policy information in which one address is set for a remote address and policy information in which a plurality of addresses is set for the remote address. A policy information list shown in FIG. 22 indicates that, in communicating with an apparatus corresponding to “192.168.1.2,” the communication is performed using a common key “bbb,” whereas, in communicating with an apparatus corresponding to an address other than the aforementioned address, the communication is performed using a common key “ccc.” Accordingly, by registering in the policy information list the policy information in which a single address is set for the remote address and the policy information in which a plurality of addresses are set for the remote address, the policy information can be flexibly recorded.
However, when the policy information in which a single address is set for the remote address and the policy information in which a plurality of addresses are set for the remote address are both registered in the policy information list, it may not be possible to perform normal communication with an apparatus of a communication partner depending upon the way the policy information is registered.
For example, it is assumed that a policy information list, such as that shown in FIG. 23, is registered in the information processing apparatus, which is one's apparatus. In addition, it is assumed that an IPSec negotiation request is sent from an apparatus of a communication partner (address “192.168.1.1”) that is set so that communication with the information processing apparatus is performed using a common key “bbb.” Here, the communication with the apparatus of the communication partner should be performed using policy information “b” in which the common key “bbb” is set. However, since the information processing apparatus searches for the remote address from the policy information having a high order of priority, the information processing apparatus starts the communication with the apparatus of the communication partner using policy information “a.” In this case, in the process of performing the communication, one's apparatus performs the communication using a common key “aaa,” whereas the apparatus of the communication partner performs the communication using the common key “bbb.” Therefore, the communication is unsuccessfully performed due to mismatching of attributes included in the pieces of policy information.
Even if a policy information list, such as that shown in FIG. 24, is registered in the information processing apparatus, which is one's apparatus, the communication may be unsuccessfully performed. It is assumed that an IPSec negotiation request which specifies a port number 9100 is given from an apparatus of a communication partner which is set so as to use a common key “bbb” in the communication with the information processing apparatus. Here, although, policy information “b” in which the common key “bbb” is set in the communication with the apparatus of the communication partner should be used, since the information processing apparatus, which is one's apparatus, searches for a remote address from policy information having a high order of priority, the information processing apparatus starts the communication using policy information “a.”
In this case, in the process of performing the communication, one's apparatus performs the communication using common key “aaa,” whereas the apparatus of the communication partner performs the communication using the common key “bbb.” Therefore, the communication is unsuccessfully performed due to mismatching of attributes included in the pieces of policy information.
For preventing such unsuccessful communication, a user needs to register policy information considering the order of priority. This burdens the user when performing the setting operation.
In view of the above-described problem, the present invention makes it possible to prevent unsuccessful communication, caused by mismatching of attributes included in pieces of policy information resulting from how the pieces of policy information are registered, without having to burden a user with registering pieces of policy information considering the order of priority.